Comments on: Savant Template Enginehttps://www.sitepoint.com/savant-template-engine/
Learn CSS | HTML5 | JavaScript | Wordpress | Tutorials-Web Development | Reference | Books and MoreMon, 14 Aug 2017 11:54:00 +0000hourly1https://wordpress.org/?v=4.8.1By: _Psihhttps://www.sitepoint.com/savant-template-engine/#comment-33992
Sat, 27 Aug 2005 00:48:56 +0000http://127280874#comment-33992To me it better for designer to learn basic PHP commands once, than to learn once Smarty, other time some other template language. At our office we came to the resolution, that Savant like template engines are more flexable. If designer needs something special, we always can write a plugin! We are developers by the way! If you write a quite big aplication, usualy it has it’s own unique plugins, which make life much more easier. Some of them are universal, some not. In any case, I worked whith smarty… when i came to the table building whith colspans and rowspans at once, I started to hate it, because I had to write a lot of PHP code in aplication core, so that smatry could handle that table generation. Savant would make it much more easier, because you could write complex PHP code in template if you need it. And that was that thing that i needed in my case.
]]>By: pmjoneshttps://www.sitepoint.com/savant-template-engine/#comment-33991
Mon, 22 Aug 2005 23:23:08 +0000http://127280874#comment-33991Hi Chris — Regarding designers who need to learn a new language to get work done: either they get stuck learning the Smarty markup language, or they get stuck learning a minimal set of PHP commands. If they’re not a security threat, I’d say PHP itself is both easier and more flexible.
]]>By: Alan Knowleshttps://www.sitepoint.com/savant-template-engine/#comment-33966
Mon, 30 Nov -0001 00:00:00 +0000http://127280874#comment-33966Great way to introduce XSS attacks into your code…

< ?php echo $value['name'] ?>

Do you know where that came from? – is it safe?
Never trust your own code here, that may be safe today, but one day you will make a change to the backend code, and forget it is used at output time.. -> opening the door to XXS attacks..

This is why PHP style templates are just a bad idea.. – unless you copy and paste htmlspecialchars everywhere, in which case, you have to look through the trees to see the bugs…

The output layer should default to escaping code if possible, and make it easy to find where escaping is not done, not the other way round.

That’s without getting into the undocumented madness that smarty and savant use with $object->assign()…

]]>By: charmedloverhttps://www.sitepoint.com/savant-template-engine/#comment-33967
Mon, 30 Nov -0001 00:00:00 +0000http://127280874#comment-33967Wow, quite a good post – and something very useful to me. I write software and this templating system looks quite useful, as I don’t want something as complex as Smarty.

Although I have my own small templating system for Ottoman, but a future product I’m working on would be much easier to program and manage if I used Savant2.

Again that’s for the post.

]]>By: Lachlanhttps://www.sitepoint.com/savant-template-engine/#comment-33968
Mon, 30 Nov -0001 00:00:00 +0000http://127280874#comment-33968In my work and projects I tend to use Brian Lozier’s Template class. It uses pretty much exactly the same mechanism that Savant uses, e.g basically a fancy wrapper for a function-scoped call to extract. Its light-weight, simple and does exactly what I need. For plugins I simply pass in view objects.

One thing worth mentioning about templating in PHP is that it’s not about separating PHP code from template files, its about separating business logic from presentation. There is nothing inherently evil about having code in your template files, so long as its code which exists solely to service the presentational aspects of what you are trying to accomplish.

This separation isn’t ever going to be solved entirely by the templating software, it’s something which has to be separated by the developer as part of a conscious design decision.

PHP offers an alternative syntax for some of its control structures; namely, if, while, for, foreach, and switch. In each case, the basic form of the alternate syntax is to change the opening brace to a colon (:) and the closing brace to endif;, endwhile;, endfor;, endforeach;, or endswitch;, respectively.

Alternatively you could have looked at the list of PHP parser tokens. Either place lists endforeach as valid PHP.

This is why PHP style templates are just a bad idea.. – unless you copy and paste htmlspecialchars everywhere, in which case, you have to look through the trees to see the bugs…

The output layer should default to escaping code if possible, and make it easy to find where escaping is not done, not the other way round.

That’s without getting into the undocumented madness that smarty and savant use with $object->assign()…

I’m not sure I follow, isn’t having a presentation detail like calls to htmlspecialchars located in the presentation template a good thing? If you have your calls to htmlspecialchars sprinkled throughout your business logic layers how are you going to prevent double escaping?

I tend to work on a Programming By contract method, whereby my templating layer (the view) counts on the fact that it is being passed unescaped data. The templates job is to then format the data provided for presentation, if that presentation language is html then it gets escaped.

]]>By: Olatehttps://www.sitepoint.com/savant-template-engine/#comment-33973
Mon, 30 Nov -0001 00:00:00 +0000http://127280874#comment-33973There is currently discussion on the Savant mailing list about a new function in the 2.4 release which will handle all the escaping for you. So instead of using echo, which you rightly said might cause XSS problems, you would use the built in Savant function and then any necessary escaping would be done for you.
]]>